MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

OffLoader

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd
SHA3-384 hash:	27e95d46b9444df0d5d0c70416390ca9b96336f25866fbd3a5595038354833128ec6d553932b9dfb955f2d9458cd6a47
SHA1 hash:	91affa25a8a8b55c1103b66f69d3cb34f798f70d
MD5 hash:	48b1b18505519ce4619b838697959eb8
humanhash:	fifteen-lemon-november-fourteen
File name:	FortnitePotatoGraphicsHowtoplayFortniteonLOWENDPCWithoutGPU-Optibuddy.exe
Download:	download sample
Signature	OffLoader Create hunting rule
File size:	2'098'774 bytes
First seen:	2026-02-16 16:05:22 UTC
Last seen:	2026-02-16 16:37:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	88016fcdef7f227c62171d0afad9aae4 (5 x OffLoader, 3 x Gh0stRAT, 3 x ValleyRAT)
ssdeep	49152:duI5hRq4s3WcUUMxuUO6QQNJ8cOxqDNrlHgVC:d5/o3OnuMNucySNrln
TLSH	T13EA5C03FF28BA13EE06E1A367972A110553B7A61A4128C5296FCF88CCF255701D3E797
TrID	50.8% (.EXE) Inno Setup installer (107240/4/30) 20.4% (.EXE) InstallShield setup (43053/19/16) 19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.0% (.EXE) Win64 Executable (generic) (6522/11/2) 2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe OffLoader

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

FortnitePotatoGraphicsHowtoplayFortniteonLOWENDPCWithoutGPU-Optibuddy.exe

Verdict:

Malicious activity

Analysis date:

2026-02-15 00:57:36 UTC

Tags:

adware innosetup

Link:

https://app.any.run/tasks/0ea60db0-cc71-47b6-a558-eabe5febe876

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53435/

Detection(s):

Win.Malware.Cerbu-10059525-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69911a012715406c64799eb5

Tags:

shellcode dropper delphi virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug embarcadero_delphi fingerprint infostealer inno installer installer installer-heuristic packed soft-404

Link:

https://www.filescan.io/uploads/69934047930564ff3ca4017f/reports/47f2f8ac-394b-4693-b280-b6f99ba1b159/overview

Verdict:

Malicious

Labled as:

Application.Cerbu.Generic

Link:

https://www.hybrid-analysis.com/sample/e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd

Verdict:

Malicious

File Type:

exe x32

Detections:

HEUR:Trojan-Downloader.Win32.OffLoader.gen

Link:

https://opentip.kaspersky.com/e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b1183898-4df5-45ab-ba60-1cc6470f4e8e

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1870033

Signature

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Behaviour

Behavior Graph:

Download SVG

Score:

80%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/48b1b18505519ce4619b838697959eb8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd/

Verdict:

Malicious

Threat:

Trojan-Downloader.Win32.OffLoader

Link:

https://tip.neiki.dev/file/e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd

Threat name:

Win32.Trojan.Cerbu

Status:

Malicious

First seen:

2026-02-15 03:15:25 UTC

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4mc522vml7mdth6tsc42thoq6y4vncplkqv52mawvpzltnkmx76q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/260216-tjq4yac16h/

Behaviour

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Unpacked files

SH256 hash:

e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd

MD5 hash:

48b1b18505519ce4619b838697959eb8

SHA1 hash:

91affa25a8a8b55c1103b66f69d3cb34f798f70d

Link:

https://www.unpac.me/results/3e4a8611-d872-48f6-b86d-2167b3c5f92c/

SH256 hash:

ae2ea6c40e64ad324e7d0f4b9872602899be19eb7099ff8412b14164db8311c6

MD5 hash:

0943279d101b13ffc5e532842ff7ec56

SHA1 hash:

41bbff229fb37b18b643efedf1bf7fac8046b76c

Link:

https://www.unpac.me/results/3e4a8611-d872-48f6-b86d-2167b3c5f92c/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/3e4a8611-d872-48f6-b86d-2167b3c5f92c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e305dd6aac5fd8399fd390b9a99dd0f6395689eb542bdd3016abf2b9b54cbffd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53435/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample